The security helper tool was created to help you reduce the probability of a security violation in a new code, infrastructure or IAM configuration by providing a fast and easy tool to conduct preliminary security check as early as possible within your development process.
- It is not a replacement of a human review nor standards.
- It uses light, open source tools to maintain its flexibility and ability to run from anywhere.
- ASH is cloning and running different open-source tools, such as: git-secrets, bandit, Semgrep, Grype, Syft, nbconvert, npm-audit, checkov, cdk-nag and cfn-nag. Please review the tools LICENSE before usage.
The security helper supports the following vectors:
- Code
- Git
- git-secrets - Find api keys, passwords, AWS keys in the code
- Python
- Jupyter Notebook
- nbconvert - converts Jupyter Notebook (ipynb) files into Python executables. Code scan with Bandit.
- JavaScript; NodeJS
- Go
- Bash
- Semgrep - finds common security issues in Bash code.
- C#
- Semgrep - finds common security issues in C# code.
- Java
- Git
- Infrastructure
To start using ash please make sure to install and configure the following:
- Install Docker. You can refer to this installation guide
# Clone the repo
git clone URL/Automated-Security-Helper /DESTINATION/DIR
# Set the repo path in your shell for easier access
export PATH=$PATH:/DESTINATION/DIR
# Execute the helper tool
ash
# Getting help
ash -h
# Scan a directory
ash --source-dir /my/remote/files
# Save the final report to a different directory
ash --output-dir /my/remote/files
# Force rebuild the entire framework to obtain latests changes and up-to-date database
ash --force
# Force run scan for Python code
ash --source-dir . --ext py
* All commands can be used together.
NAME:
ash
SYNOPSIS:
ash [OPTIONS] --source-dir /path/to/dir --output-dir /path/to/dir
OPTIONS:
-v | --version Prints version number.
-p | --preserve-report Add timestamp to the final report file to avoid overriding it after multiple executions
--source-dir Path to the directory containing the code/files you wish to scan. Defaults to $(pwd)
--output-dir Path to the directory that will contain the report of the scans. Defaults to $(pwd)
--ext | -extension Force a file extension to scan. Defaults to identify files automatically.
--force Rebuild the Docker images of the scanning tools, to make sure software is up-to-date.
-q | --quiet Don't print verbose text about the build process.
- Q: How to run
ashon a Windows machine
A: ASH on a windows machine- Install a Windows Subsystem for Linux (WSL) with an Ubuntu distribution. Be sure to use the WSL 2.
- Install Docker Desktop for windows and activate the integration the WSL
- Clone this git repository.
- Execute the helper tool from the folder downloaded in the previous step from the Ubuntu WSL.
See CONTRIBUTING for more information.
This library is licensed under the Apache 2.0 License. See the LICENSE file.